A
security vulnerability impacting macOS High Sierra allows admins to
unlock the AppStore Preferences in System Preferences by providing
any password.

The
issue was found to affect macOS 10.13.2, the latest iteration of the
platform, and can be reproduced only if the user is logged in as
administrator. For non-admin accounts, the correct credentials are
necessary to unlock the preferences pane.

macOS
High Sierra 10.13.2 users interested in reproducing the
bug should log into their machines as administrators, then
navigate to the App Store preferences in System Preferences.

Next,
users should click on the padlock icon to lock it if necessary, then
click it again. When
prompted to enter the login credentials, they can use any password
and still unlock the Prefpane.

Interesting.
Prepare a dossier by stealing data online (or maybe just the Equifax
data?) and use it to construct a plausible case for infidelity.
Would it seem more real if it came by mail?

KrebsOnSecurity heard from a reader whose friend
recently received a remarkably customized extortion letter via snail
mail that threatened to tell the recipient’s wife about his
supposed extramarital affairs unless he paid $3,600 in bitcoin. The
friend said he had nothing to hide and suspects this is part of a
random but well-crafted campaign to prey on men who may have a guilty
conscience.

The letter addressed the recipient by his first
name and hometown throughout, and claimed to have evidence of the
supposed dalliances.

… Of course, sending extortion letters via
postal mail is mail
fraud, a crime which carries severe penalties (fines of up to $1
million and up to 30 years in jail). However, as the extortionist
rightly notes in his letter, the likelihood that authorities would
ever be able to catch him is probably low.

The last time I heard of or saw this type of
targeted extortion by mail was in the wake of the 2015
breach at online cheating site AshleyMadison.com. But those
attempts made more sense to me since obviously many AshleyMadison
users quite clearly did have an affair to hide.

… I opted not to publish a scan of the letter
here because it was double-sided and redacting names, etc. gets dicey
thanks to photo and image manipulation tools. Here’s
a transcription of it instead (PDF).

In the most recent object lesson in a data breach
privilege case, a federal appeals court has ordered a Michigan-based
mortgage lender to turn over privileged forensic investigatory
documents after the investigator’s conclusions were revealed in
discovery.

… In an interrogatory response, United Shore
said that it retained a forensic firm – through counsel – to
investigate the breach that had concluded XMS’s action caused the
intrusions. The interrogatory stated that its forensic investigator
determined that “certain files stored in XMS’s … system had
been accessed without authorization … in plain violation of
established security protocols.” United Shore disclosed more than
150 non-privileged documents concerning the investigation, but it
withheld additional documents based on the attorney client privilege.

District Court Ruling. XMS moved to
compel United Shore to produce the privileged documents, arguing that
it implicitly waived the attorney-client privilege by referencing its
investigator’s conclusions in its discovery response.

The district court agreed.
It concluded that United Shore not only disclosed that its
investigator "conducted an investigation ... [but] also
provided...conclusions from that investigation.”

Would we pass a law like this if we were starting
from zero today? Probably not.

The House of Representatives voted on Thursday to
extend the National Security Agency’s warrantless surveillance
program for six years with minimal changes, rejecting a push by a
bipartisan group of lawmakers to impose significant privacy limits
when it sweeps up Americans’ emails and other personal
communications.

The vote, 256 to 164, centered on an expiring law
that permits the government, without a warrant, to collect
communications from United States companies like Google and AT&T
of foreigners abroad — even when those targets are talking to
Americans.

Law is complex. Is there any place to ask about a
topic and get answers that point out differences in all 50 states?

Connecticut’s highest court ruled
Thursday on an issue that most people may think is already settled,
saying doctors have a duty to keep patients’ medical records
confidential and can be sued if they don’t.

The Supreme Court’s 6-0 decision
overturned the ruling of a lower court judge who said Connecticut had
yet to recognize doctor-patient confidentiality.

The high court’s ruling reinstated a
lawsuit by former New Canaan resident Emily Byrne against the Avery
Center for Obstetrics & Gynecology in Westport.

Read more on
Boston
Herald, while I scratch my head over this one. Connecticut
health law never required confidentiality? Seriously? From reading
the rest of the article, it sounds like the center had a pretty clear
privacy policy that made it clear that they might disclose in
response to subpoenas, but even so…..

So for all this time, mental health patients in
Connecticut had no enforceable right to confidentiality? Or was
there an exception for mental health?

How could this be????

Governments do not do IT well. (I may have said
that a few hundred times.)

“Most of the 22 selected agencies did not
identify all of their information technology (IT) contracts. The
selected agencies identified 78,249 IT-related contracts, to which
they obligated $14.7 billion in fiscal year 2016. However, GAO
identified 31,493 additional contracts with $4.5 billion obligated,
raising the total amount obligated to IT contracts in fiscal year
2016 to at least $19.2 billion (see figure). The percentage of
additional IT contract obligations GAO identified varied among the
selected agencies. For example, the Department of State did not
identify 1 percent of its IT contract obligations. Conversely, 8
agencies did not identify over 40 percent of their IT-related
contract obligations. Many of the selected agencies that
did not identify these IT acquisitions did not follow Office of
Management and Budget’s (OMB) guidance.

... agencies will likely miss an opportunity to
strengthen CIOs’ authority and the oversight of IT acquisitions.
As a result, agencies may award IT contracts that are duplicative,
wasteful, or poorly conceived.”

Fiat Chrysler Automobiles said on Thursday it will
shift production of Ram heavy-duty pickup trucks from Mexico to
Michigan in 2020, a move that lowers the risk to the automaker’s
profit should President Donald Trump pull the United States out of
the North American Free Trade Agreement.

Introducing the all-new Voice
Dictation v2.0, a speech recognition app that lets you type with
your voice. There’s no software to install, there’s no training
required and all you need is Google Chrome on your Windows PC, Mac OS
or Linux.

Dictation can recognize spoken words in English,
Hindi, Español, Italiano, Deutsch, Français, and all the other
popular languages.
Another unique feature of Dictation is support for voice
commands that let you do more with your voice. For instance, you
can say a command like new line or nueva línea for
inserting lines. You can add punctuations, special symbols and even
smileys using simple commands in most languages.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.